Nomad Mobile Research Centre

Password Safe Product Review

Back to the Lab


              Product: Password Safe
              Version: 1.7
               Vendor: Counterpane Systems (http://www.counterpane.com/)
       Vendor Contact: Bruce Schneier - bschneier@counterpane.com
                       http://www.counterpane.com/passsafe.html
Platform(s) Supported: Microsoft Windows 95, 98, NT
  License/Source Code: Freeware, no license restrictions. Source code unavailable,
                       but provided to NMRC during testing.

     Test Platform(s): IBM Thinkpad 600 64MB RAM Windows NT 4.0 SP3
                       Dual Pentium 64MB RAM Windows NT 4.0 SP4

Background

Password Safe is a simple-to-use password database. It allows you to create a "safe", which you can lock with a "combination". The safe is a database containing user accounts, passwords, and other information specific to accessing a system. By placing all of your accounts and passwords into a single database and locking it with a "combination" (or passphrase), and then encrypting the data, you have a fairly safe method of managing large numbers of accounts on different systems.

The usability of this product unbelievably simple. After entering the password to "unlock" your password database, you are presented with a screen where you can quickly create, edit, and even generate passwords. The best feature is that once opened, you can double-click on an account listing, the password is copied to the clipboard, and you can paste it into a password field of a system prompt you are entering.

The product is only available to U.S. and Canadian citizens due to the use of advanced encryption which is subject to U.S. export restrictions. The product performs as advertised, and gains our Hacker Stamp of Approval. Password Safe is not without its disadvantages, which are very few, the biggest one is that the product is only available for Windows 95/98/NT. Being that the product is freeware, we do not expect a Unix version anytime soon.

Advantages/Disadvantages

We of course tested the product to ensure that it performed as stated, which it did without flaw. We will not discuss functionality here, as NMRC is mainly concerned with the security of the product. Here is a list of the main advantages to using Password Safe:

Here are the main disadvantages to using Password Safe:

Technical Details

We installed Password Safe on a fairly stock NT 4.0 workstation with Service Pack 3 loaded.

Taking the defaults, you end up with "C:\Program Files\Password Safe" being the location of all of the files. All files are visible except for Password Safe.GID, which is a hidden file. None of the files at any time contain unencrypted information normally stored within the databases, in fact encrypted data is only found in *.DAT and *.BAK files (the database files and their backups).

The Registry settings, all located by default at HKEY_CURRENT_USER\Counterpane Systems\Password Safe contain the values in the Options dialog box, found under Manage menu. The location of the last backed up database, and the last modified database (known as the "currentfile") are located here. No information normally stored within the database files is stored in the Registry.

Examining the Password Safe.exe file under a hex editor revealing an interesting tidbit. At hex location 0x5686a through 0x56bea is a series of Unicode messages related to Password Safe. At hex address 0x56c06 are a series of apparently generic Unicode error messages, starting right after the word "Hide". The most alarming of these messages is the one located at 0x57fb2, which is "Unable to load mail system support. Mail system DLL is invalid. Send Mail failed to send message." This seemed like a fairly disturbing message to find inside a utility that manages passwords.

We stopped and started Password Safe dozens of times, while using different *.DAT files, changing passwords and passphrases, performing saves and backups, and never at any point did any packet leave the machine or alternate location within the machine get written to as a results of Password Safe. There were no extra ports listening or extra services or processes running that might hint at a back door or any other method of allow another person besides the intended user view sensitive data.

Counterpane Systems was contacted regarding this, and Bruce Schneier immediately replied with an offer for us to examine the source code, which we have. The error message in Unicode is apparently added during the linking process, and we could find no location within the code that would ever call this error. Therefore we deemed the error erroneous and non-security breaching.

Counterpane Systems should be commended for the way they responded -- it is unfortunate that this is the exception, not the rule, when reporting possible security problems within code to software vendors. What makes this even more startling is that Counterpane Systems is not in the software business, this is freeware -- they could have simply ignored the comment, or simply stated "our product was reviewed internally and the error is erroneous", leaving us to wonder.

The Password Safe.EXE is 360,960 bytes is size. When loaded into memory it takes up 393,216 bytes of memory, and hooks into the following DLLs:

Usage of the above DLLs is typical of a Microsoft Visual C++ program. As a result of using the Microsoft programming environments and the DLL usage, memory usage varies widely due to NT's funky memory block usage (by contrast, NMRC's Pandora Offline was compiled using the Win32 gcc compiler port by D. J. Delorie and uses less DLLs, and subsequently is assigned less memory in spite of being a larger executable).

For example, total memory usage during the load (application and data area) was 1552K at the Safe Combination Entry screen, jumping to 1744K after loading in our 12 entry database of user accounts. This amount would jump or decrease slightly with each entry added or deleted, by about 36-44K. Memory usage was fairly stable (at least by NT terms), with no memory leaks. Memory usage varied in subsequent runs by as much as 1MB, however the increases and decreases were proportionate. This fluctuation in initial memory assignment and usage is typical of a Windows application.

Two copies of the database exist in memory at one time -- one is the encrypted version, the other is the unencrypted version. Before releasing memory the data is scrambled, so after Password Safe is closed the unencrypted data is no longer in memory. Only the encrypted version is written to disk.

Conclusions

Password Safe is an excellent product for password management within the Windows environment. It performs as advertised, was obviously built from the ground up with security in mind, and has a number of features such as password generation that make it a great product. While it only keeps your password as safe as the main passphrase (so choose it wisely), it still encourages safe computing by encouraging more complex passwords. The fact that it's free is icing on the cake. We give this product the NMRC Hacker Seal of Approval.





Updated 17Aug1999